05-07-2010 12:24 PM - edited 02-21-2020 04:38 PM
Hi,
Can we have multiple crypto map on cisco routers using loopback addresses? We need this implementation because we have redundant paths andwant to split subnets by using separate cryto map for each subnets and PSEC to be always up even if one of the link fails.
Thanks.
Akhilesh
03-18-2013 06:34 AM
Hi Mitra,
I can see that you already have an answer for what you asked, but just to add my two cents here:
A crypto map is not supported on a Loopback, if you would like to use it as your VPN endpoint, then check this option:
HTH.
Portu.
06-26-2014 03:46 AM
I just have issue with this kind of problem. Just to be sure: You are saying that Loopback interface can not support crypto map on it? There must be "crypto map" command on a physical interface? Am I right? Is this correct?
Thank you.
Petar
10-31-2017 06:42 AM
can you please tell me what was changed?
In my case I need to have many IPSec VPNs and I though Loopback can be used as the source peer IP. But now I'm seeing that traffic can't be routed through the Loopback IP and that's the reason the tunnel is not coming up. Is there a way to do this?
06-26-2014 04:15 AM
I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .
what i did was using two routers where the tunnels were in a vrf rib .
i needed to add a vrf static route for the destination networks through the global ip next hop .
thats what suited my needs .
06-26-2014 05:06 AM
I did not get this. Could you explain it to me further. Or send some conf file, or copy your configuration here... That is the easiest way that I can think...
Thank you.
Petar
06-26-2014 06:27 AM
hope this would assist .
interface Loopback1
description ### LOOPBACK IPSEC ###
ip address 95.95.95.1 255.255.255.255
crypto keyring KEYS-HOSTING-SJ
local-address 95.95.95.1
pre-shared-key address 63.63.63.1 key Re*kup#ha4Ha
crypto isakmp profile ISAKMP-HOSTING-SJ
vrf VPN
keyring KEYS-HOSTING-SJ
match identity address 63.63.63.1 255.255.255.255
crypto ipsec transform-set TRANS_SET-HOSTING-SJ esp-aes esp-sha-hmac
mode tunnel
crypto isakmp policy 9
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto map VPN_GENERIC-S2S 20 ipsec-isakmp
description ### VPN S2S HOSTING-SJ ASA ###
set peer 63.63.63.1
set transform-set TRANS_SET-HOSTING-SJ
set pfs group2
set isakmp-profile ISAKMP-HOSTING-SJ
match address IPSEC-VPN-ACL_HOSTING-SJ
ip access-list extended IPSEC-VPN-ACL_HOSTING-SJ
permit ip 10.23.0.0 0.0.255.255 10.10.2.0 0.0.0.255
ip route vrf VPN 10.10.2.0 255.255.255.0 208.208.208.202 track 102 name SLA102-VPN_TU_US-SJWC-PROXY-SUBNET-NH-GLOBAL-ISP-1
ip sla 102
icmp-echo 63.63.63.1 source-ip 95.95.95.1
tag VPN-TRACK-ROUTE102-TO-HOSTING-SJ
threshold 3000
frequency 5
ip sla schedule 102 life forever start-time now
ip sla reaction-configuration 102 react timeout threshold-type xOfy 2 5 action-type trapOnly
interface GigabitEthernet0/0/0
description ##### ISP : CROSS CONNECT 1 TO ISP-1 ###
ip address 208.208.208.201 255.255.255.252
ip flow ingress
load-interval 30
negotiation auto
crypto map VPN_GENERIC-S2S
once the tracking fails , the other router has the route in its routing table and it takes its place .
06-26-2014 06:47 AM
Thank you... That was helpful...
Sincerely,
Petar
06-26-2014 06:57 AM
tell and pls rate if its working for ya :)
06-26-2014 07:04 AM
It does not work for me, but I manage to find out why (based on your reply)... Crypto map has to be on physical interface... I tryed to put crypto map under loopback interface, but that does not work... I suspected that could be a problem, and your case convinced me...
Sincerely,
Petar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide